feat: instance groups instance-level role support

[alpetric]

Summary

• Add ability to assign instance-level roles (superadmin/devops) to instance groups
• Group members automatically receive the highest role from all their groups
• Manual elevated roles (set by superadmin) always take precedence over group roles
• Role propagation on all mutation paths: add/remove user, update/delete group, bulk import
• Frontend: instance role toggle in group editor drawer, role column in tables, role source indicator in superadmin settings users list
• DB migration adds instance_role to instance_group and role_source to password with CHECK constraints

Companion PR

• EE: https://github.com/windmill-labs/windmill-ee-private/pull/463

Test plan

• Create instance group, set instance role to devops/superadmin, verify members receive the role
• Add/remove user from group with instance role, verify role updates
• Manually set a user to superadmin, verify group changes don't override
• Demote manually-elevated user to "user", verify group role takes over
• Delete group with instance role, verify members are demoted
• Verify "Set by instance group" indicator in superadmin settings
• Verify SCIM sync propagates roles correctly

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	c3f09a6
Status:	✅  Deploy successful!
Preview URL:	https://50b455bc.windmill.pages.dev
Branch Preview URL:	https://alp-instance-groups-super-ad.windmill.pages.dev

View logs

[alpetric]

/updatesqlx

[windmill-internal-app]

Starting sqlx update...

View workflow run

[windmill-internal-app]

❌ SQLx update failed. Please check the workflow logs for details.

[windmill-internal-app]

🤖 Updated ee-repo-ref.txt to 278a3887f759f9d1146554baa0765518d5bc70f2 after windmill-ee-private PR #463 was merged.